All the World’s a Chess Board, and All the Security Pros Merely Pieces

Information security is a lot like chess. On the macro level, the security field is divided between the black hats and the white hats, just as a chessboard is split between black and white pieces. Those groups compete against one another using a combination of offensive and defensive tactics.

Ultimately, each “match” is different than the next. Some finish up quickly, whereas others drag on. But in every case, one team emerges victorious by imposing their will on the other’s King, or information assets. The black hats win if they wipe out the white hats’ security controls and compromise their endpoints, whereas the white hats win if they block the black hats’ advances and shut down their criminal infrastructure.

No one understands these and other extensions of the infosec-chess metaphor better than Chris Conacher, manager of security content and research at Tripwire. He has written extensively about how chess relates to information security. In one of his posts, for example, Conacher zooms in on the metaphor’s micro level to analyze how each chess piece fits within an organization’s security culture. The King, he reasons, is akin to the CIO in that it is ultimately responsible for enabling and facilitating security for an entire organization, whereas the pawns are an organization’s basic security controls. Every other piece also has a part to play, he argues. That role is shaped by each piece’s strengths and weaknesses.

Conacher’s analysis fascinated all of us here at The State of Security, so much so that we decided to share it with attendees at RSA Conference 2016 and ask to hear their thoughts on the infosec-chess metaphor. Specifically, we asked what chess piece they would like to be and why.

Here’s what they had to say.

The Knight: Unpredictably Evading Obstacles

Nearly half of those who participated in our survey said they would be the Knight. In explanation of their choice, one respondent pointed to the piece’s unconventional style of movement as useful in the fight against digital attackers:

“The Knight does not move in a straight line. It moves in ‘L’-shape, which means it can guard the field without being in direct line of sight. It is concealed behind the corner and is therefore less predictable. This has important parallels in the world of information security. Removing ‘predictability’ is like adding another layer of security to a network. For example, if a hacker can’t figure out how your data is guarded, it will take them a lot more time to launch a successful attack, providing us with more time to spot them sneaking around so that we can shut them out.”

Others pointed to the Knight’s ability to maneuver over other pieces without requiring them to first move out of its way:

“The Knight is not constrained by obstacles along its path. In security defense, we should be like the Knight. We can’t let ourselves be constrained by what the attacker has set up or blocked. Rather, we need to be agile enough to move past obstacles and take down the enemy.”

Together, unpredictability and maneuverability are key advantages when it comes to protecting your organization against a host of digital threats, as one participant astutely observed:

“I chose the Knight because its job is to defend or attack the King and Queen. It will constantly be on the battlefield facing down adversaries that range from Pawns (script kiddies) to other Knights and Bishops (organized crime and hacktivists) to Kings and Queens (nation-state actors). It is dedicated to the cause of keeping the kingdom safe against whomever might choose to attack.”

With that in mind, the Knight should never be neglected. In fact, strategic use of this piece could mean the difference between victory and defeat. One respondent clarified this point for us:

“If used correctly, it can set up an easy win. The Knight is superior to the Bishop, a ‘slacker’ piece that can’t move unless someone moves out of its way.”

The Bishop: Deflecting to an Easier Target

Not everyone felt the same way about the Bishop. In fact, those who chose this piece likened it to the Knight in its ability to surprise the enemy with unconventional movements.

One respondent, for example, said, “No one ever looks out for a Bishop.”

Another expanded upon this thought:

“I would counter a cyber-attack with a diagonal move instead of a blocking it head-on. In other words, I would try to be different from what an attacker might expect to find so that I could counter their tools and drive up the costs to attacking me. This way the attacker would go elsewhere for an easier target.”

The Pawn: Unveiling the Opponent’s Strategy

And what easier target could there be than the Pawn? Many consider it to be the weakest piece in chess because it cannot move very far and can only move forward. However, it can still serve a critical function: sacrificing itself in order to unveil the attacker’s strategy.

That is exactly why one respondent chose to be the Pawn:

“The Pawn is used to identify the strategy of the hacker. It sacrifices itself to see what techniques the hacker is using. In the process, it provides the player with invaluable knowledge on how they can develop and deploy a stronger defensive strategy.”

Integral to that strategy is where and how a player chooses to delimit the front line of defense, a decision which also applies to information security. One survey participant puts it perfectly:

“A pawn’s job is to help the business securely achieve its objectives. It slowly and methodically advances the front line of defense while allowing its fellow pieces to strategize and maneuver behind it. A pawn moves only forward, never backwards, as it advances its security posture in conjunction with business objectives and with seven other pawns on the board, i.e. an organization’s defense-in-depth strategy and controls.”

The Queen: Wielding Power to Rule the Board

With the Pawns holding down the front lines, more powerful pieces such as the Queen can develop a plan of attack.

Only one respondent ultimately chose the Queen, but as they explained to us, they did so because it (like the Knight) is one of the most flexible pieces in chess:

“I would choose the Queen, the most powerful piece on the board. Its ability to move far in a number of directions enhances its ability to protect all the other pieces, especially the vulnerable King. And let’s face it, the security industry needs stronger women pieces.”

Conclusion

As our experiment at RSA reveals, infosec professionals can strengthen their organizations’ security defense by adopting certain qualities of the Knight, the Bishop, the Pawn, and the Queen. However, just like in chess, merely placing these and other pieces randomly around the board does not guarantee victory. As Conacher writes in his second infosec-chess piece, organizations need to act like a player and develop a strategy that makes the best use out of all of the pieces. Failing to do so will essentially hand the match to the opponent, regardless of what security controls and other defenses an organization has in place.

What chess piece do you feel would contribute most to your organization’s security strategy?

Enter Tripwire’s competition at InfoSecurity Europe 2016 today! All you need to do is let us know which chess piece you would choose, why, and how your actions and strategies in battle match the capabilities of the chess piece you picked, and you could win a Hubsan X4 drone, a remote controlled BB8, or a Pico projector! All winners will be announced at the end of InfoSecurity Europe 2016.

For more information on what Tripwire has planned for InfoSecurity Europe 2016, click here.